Closed madmaxio closed 4 years ago
Hi!
Could you be sure that host_here
has not been changed recently?
Could you check your curl with other host with GOST?
Some changes on the server side you mean? I don't know other gost hosts, do you have any examples?
Well, I think these are 100% server side changes, but I have no idea what exactly happened, also it is zakupki gov ru.
Also, openssl s_client -connect gost.example.com:443 -showcerts works and show certs for my host! So this can be an issue with curl build maybe.
Also, openssl s_client -connect gost.example.com:443 -showcerts works and show certs for my host! So this can be an issue with curl build maybe.
And what is output? Does it containt something about param set
?
Here is the stderr, yes some info here:
depth=0 INN = 007710568760, OGRN = 1047797019830, street = "\D0\91\D0\BE\D0\BB\D1\8C\D1\88\D0\BE\D0\B9 \D0\97\D0\BB\D0\B0\D1\82\D0\BE\D1\83\D1\81\D1\82\D0\B8\D0\BD\D1\81\D0\BA\D0\B8\D0\B9 \D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA, \D0\B4.6, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", emailAddress = isfk@roskazna.ru, C = RU, ST = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, O = \D0\A4\D0\B5\D0\B4\D0\B5\D1\80\D0\B0\D0\BB\D1\8C\D0\BD\D0\BE\D0\B5 \D0\BA\D0\B0\D0\B7\D0\BD\D0\B0\D1\87\D0\B5\D0\B9\D1\81\D1\82\D0\B2\D0\BE, OU = \D0\A3\D0\BF\D1\80\D0\B0\D0\B2\D0\BB\D0\B5\D0\BD\D0\B8\D0\B5 \D0\B8\D0\BD\D1\84\D0\BE\D1\80\D0\BC\D0\B0\D1\86\D0\B8\D0\BE\D0\BD\D0\BD\D0\BE\D0\B9 \D0\B8\D0\BD\D1\84\D1\80\D0\B0\D1\81\D1\82\D1\80\D1\83\D0\BA\D1\82\D1\83\D1\80\D0\BE\D0\B9, title = \D0\97\D0\B0\D0\BC\D0\B5\D1\81\D1\82\D0\B8\D1\82\D0\B5\D0\BB\D1\8C \D0\BD\D0\B0\D1\87\D0\B0\D0\BB\D1\8C\D0\BD\D0\B8\D0\BA\D0\B0 \D0\A3\D0\BF\D1\80\D0\B0\D0\B2\D0\BB\D0\B5\D0\BD\D0\B8\D1\8F, CN = zakupki.gov.ru verify error:num=66:EE certificate key too weak verify return:1 depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8 verify error:num=19:self signed certificate in certificate chain 140022237410432:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06/gost_ec_sign.c:82: 140022237410432:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:124: 140022237410432:error:1416F0EF:SSL routines:tls_process_server_certificate:unable to find public key parameters:ssl/statem/statem_clnt.c:1254:
I found update in GOST lib https://github.com/gost-engine/engine/commit/b2e0f8c6e708e70fcfea9384095aa48f2774af47 Need time to rebuild.
Awesome! So you will push update to docker hub?
I've pushed dev label rnix/openssl-gost:dev
and it works with some GOST hosts:
docker run --rm rnix/openssl-gost:dev curl https://alpha.demo.nbki.ru -k
But for your host:
docker run --rm rnix/openssl-gost:dev curl https://zakupki.gov.ru -k
it is
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to zakupki.gov.ru:443
Do you use the client's certificate? It can be the reason of error to me.
No, i don't. Same problem for me
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to zakupki.gov.ru:443
As far as I understood from googling, this is random server side problem, so this is not fixable without accessing the server itself?
I have the same error when I trying to cinnect to portal.rosreestr.ru:4455
curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
* Rebuilt URL to: https://portal.rosreestr.ru:4455/
* Trying 217.77.104.130...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* ignoring certificate verify locations due to disabled peer verification
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set
* Closing connection 0
curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set
but for zakupki.gov.ru:443
it works fine
curl https://zakupki.gov.ru -k
<html>
<head>
<script language="Javascript" type="text/javascript">
location.replace("http://zakupki.gov.ru/");
</script>
</head>
<body>
</body>
</html>
I have tryed to to this commaand
$ openssl s_client -connect portal.rosreestr.ru:4455
CONNECTED(00000003)
depth=0 OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
verify error:num=66:EE certificate key too weak
verify return:1
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
139955203937408:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/engine-3bd506dcbb835c644bd15a58f0073ae41f76cb06/gost_ec_sign.c:82:
139955203937408:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:crypto/x509/x_pubkey.c:124:
139955203937408:error:1416F0EF:SSL routines:tls_process_server_certificate:unable to find public key parameters:ssl/statem/statem_clnt.c:1254:
---
Certificate chain
0 s:/OGRN=1047796940465/INN=007706560536/street=\xD1\x83\xD0\xBB. \xD0\x92\xD0\xBE\xD1\x80\xD0\xBE\xD0\xBD\xD1\x86\xD0\xBE\xD0\xB2\xD0\xBE \xD0\x9F\xD0\xBE\xD0\xBB\xD0\xB5, \xD0\xB4. 4\xD0\x90/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/emailAddress=00_OZIL1@rosreestr.ru/O=\xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80/CN=\xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80
i:/OGRN=1027700485757/INN=007705401340/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA \xD0\x9E\xD1\x80\xD0\xBB\xD0\xB8\xD0\xBA\xD0\xBE\xD0\xB2, \xD0\xB4\xD0\xBE\xD0\xBC 10, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/OU=\xD0\xA3\xD0\xB4\xD0\xBE\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD0\xB5\xD1\x80\xD1\x8F\xD1\x8E\xD1\x89\xD0\xB8\xD0\xB9 \xD1\x86\xD0\xB5\xD0\xBD\xD1\x82\xD1\x80/O=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"/CN=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"
1 s:/OGRN=1027700485757/INN=007705401340/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA \xD0\x9E\xD1\x80\xD0\xBB\xD0\xB8\xD0\xBA\xD0\xBE\xD0\xB2, \xD0\xB4\xD0\xBE\xD0\xBC 10, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/OU=\xD0\xA3\xD0\xB4\xD0\xBE\xD1\x81\xD1\x82\xD0\xBE\xD0\xB2\xD0\xB5\xD1\x80\xD1\x8F\xD1\x8E\xD1\x89\xD0\xB8\xD0\xB9 \xD1\x86\xD0\xB5\xD0\xBD\xD1\x82\xD1\x80/O=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"/CN=\xD0\xA4\xD0\x93\xD0\x91\xD0\xA3 "\xD0\xA4\xD0\x9A\xD0\x9F \xD0\xA0\xD0\xBE\xD1\x81\xD1\x80\xD0\xB5\xD0\xB5\xD1\x81\xD1\x82\xD1\x80\xD0\xB0"
i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
2 s:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5499 bytes and written 186 bytes
Verification error: self signed certificate in certificate chain
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1574163359
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
and
$ openssl s_client -connect zakupki.gov.ru:443
CONNECTED(00000003)
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4.6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1./emailAddress=isfk@roskazna.ru/C=RU/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/OU=\xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 \xD1\x80\xD0\xB0\xD0\xB7\xD0\xB2\xD0\xB8\xD1\x82\xD0\xB8\xD1\x8F \xD0\xBA\xD0\xBE\xD0\xBD\xD1\x82\xD1\x80\xD0\xB0\xD0\xBA\xD1\x82\xD0\xBD\xD0\xBE\xD0\xB9 \xD1\x81\xD0\xB8\xD1\x81\xD1\x82\xD0\xB5\xD0\xBC\xD1\x8B/title=\xD0\x97\xD0\xB0\xD0\xBC\xD0\xB5\xD1\x81\xD1\x82\xD0\xB8\xD1\x82\xD0\xB5\xD0\xBB\xD1\x8C \xD0\xBD\xD0\xB0\xD1\x87\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xB8\xD0\xBA\xD0\xB0 \xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD1\x8F/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
i:/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
1 s:/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
2 s:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/OGRN=1047702026701/INN=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIyjCCCHegAwIBAgIUBFAG7EQaVZ2E9sj2xuGCeWQ0VXMwCgYIKoUDBwEBAwIw
ggFtMSAwHgYJKoZIhvcNAQkBFhF1Y19ma0Byb3NrYXpuYS5ydTEZMBcGA1UECAwQ
0LMuINCc0L7RgdC60LLQsDEaMBgGCCqFAwOBAwEBEgwwMDc3MTA1Njg3NjAxGDAW
BgUqhQNkARINMTA0Nzc5NzAxOTgzMDFgMF4GA1UECQxX0JHQvtC70YzRiNC+0Lkg
0JfQu9Cw0YLQvtGD0YHRgtC40L3RgdC60LjQuSDQv9C10YDQtdGD0LvQvtC6LCDQ
tC4gNiwg0YHRgtGA0L7QtdC90LjQtSAxMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAx
CzAJBgNVBAYTAlJVMTgwNgYDVQQKDC/QpNC10LTQtdGA0LDQu9GM0L3QvtC1INC6
0LDQt9C90LDRh9C10LnRgdGC0LLQvjE4MDYGA1UEAwwv0KTQtdC00LXRgNCw0LvR
jNC90L7QtSDQutCw0LfQvdCw0YfQtdC50YHRgtCy0L4wHhcNMTkwNTE2MTE1MTE4
WhcNMjAwODE2MTE1MTE4WjCCAg0xGjAYBggqhQMDgQMBARIMMDA3NzEwNTY4NzYw
MRgwFgYFKoUDZAESDTEwNDc3OTcwMTk4MzAxYDBeBgNVBAkMV9CR0L7Qu9GM0YjQ
vtC5INCX0LvQsNGC0L7Rg9GB0YLQuNC90YHQutC40Lkg0L/QtdGA0LXRg9C70L7Q
uiwg0LQuNiwg0YHRgtGA0L7QtdC90LjQtSAxLjEfMB0GCSqGSIb3DQEJARYQaXNm
a0Byb3NrYXpuYS5ydTELMAkGA1UEBhMCUlUxGTAXBgNVBAgMENCzLiDQnNC+0YHQ
utCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDE4MDYGA1UECgwv0KTQtdC00LXR
gNCw0LvRjNC90L7QtSDQutCw0LfQvdCw0YfQtdC50YHRgtCy0L4xVDBSBgNVBAsM
S9Cj0L/RgNCw0LLQu9C10L3QuNC1INGA0LDQt9Cy0LjRgtC40Y8g0LrQvtC90YLR
gNCw0LrRgtC90L7QuSDRgdC40YHRgtC10LzRizFJMEcGA1UEDAxA0JfQsNC80LXR
gdGC0LjRgtC10LvRjCDQvdCw0YfQsNC70YzQvdC40LrQsCDQo9C/0YDQsNCy0LvQ
tdC90LjRjzE4MDYGA1UEAwwv0KTQtdC00LXRgNCw0LvRjNC90L7QtSDQutCw0LfQ
vdCw0YfQtdC50YHRgtCy0L4wZjAfBggqhQMHAQEBATATBgcqhQMCAiMBBggqhQMH
AQECAgNDAARAXCaZMyoU944U+rIFMaXh+DobfEpZg2I42iPBI7psfVQHa/nRdC5c
LPk2XKOvFs7RgDMu9zFNfLc3yhdP8ZlHAqOCBEIwggQ+MAwGA1UdEwEB/wQCMAAw
HQYDVR0gBBYwFDAIBgYqhQNkcQEwCAYGKoUDZHECMDAGA1UdEQQpMCegEgYDVQQM
oAsTCTUxNjEzMzI0OYYBMIIOemFrdXBraS5nb3YucnUwOwYFKoUDZG8EMgwwItCa
0YDQuNC/0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gNC4wLjk4NDIpMIIB
UQYFKoUDZHAEggFGMIIBQgw00KHQmtCX0JggItCa0YDQuNC/0YLQvtCf0YDQviBD
U1AiICjQstC10YDRgdC40Y8gNC4wKQxo0J/RgNC+0LPRgNCw0LzQvNC90L4t0LDQ
v9C/0LDRgNCw0YLQvdGL0Lkg0LrQvtC80L/Qu9C10LrRgSDCq9Cu0L3QuNGB0LXR
gNGCLdCT0J7QodCiwrsuINCS0LXRgNGB0LjRjyAzLjAMT9Ch0LXRgNGC0LjRhNC4
0LrQsNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYg0KHQpC8xMjQtMzM4
MCDQvtGCIDExLjA1LjIwMTgMT9Ch0LXRgNGC0LjRhNC40LrQsNGCINGB0L7QvtGC
0LLQtdGC0YHRgtCy0LjRjyDihJYg0KHQpC8xMjgtMzU4MSDQvtGCIDIwLjEyLjIw
MTgwDgYDVR0PAQH/BAQDAgPoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjArBgNVHRAEJDAigA8yMDE5MDUxNjExNTExOFqBDzIwMjAwODE2MTE1MTE4WjCC
AWAGA1UdIwSCAVcwggFTgBTA1tYKfWt+yY45vNqJ+q+ULFhajaGCASykggEoMIIB
JDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEY
MBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQ
stCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7Q
vCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQ
uDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcx
MDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHR
gdC40LiCCwC18TLTAAAAAAFaMGwGA1UdHwRlMGMwMKAuoCyGKmh0dHA6Ly9jcmwu
cm9za2F6bmEucnUvY3JsL3VjZmtfZ29zdDEyLmNybDAvoC2gK4YpaHR0cDovL2Ny
bC5mc2ZrLmxvY2FsL2NybC91Y2ZrX2dvc3QxMi5jcmwwHQYDVR0OBBYEFHCJVXFl
nVtF1/qVAN1dGszHB8/OMAoGCCqFAwcBAQMCA0EAuw0I8FH6BPEc8bhitjlEQ611
yQHjZrgQU9bMQkAvGGSwv7HiZk/6eR6MOAddh1/mbg9EkAkjoa1EHhyOQb04bQ==
-----END CERTIFICATE-----
subject=/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4.6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1./emailAddress=isfk@roskazna.ru/C=RU/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/OU=\xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 \xD1\x80\xD0\xB0\xD0\xB7\xD0\xB2\xD0\xB8\xD1\x82\xD0\xB8\xD1\x8F \xD0\xBA\xD0\xBE\xD0\xBD\xD1\x82\xD1\x80\xD0\xB0\xD0\xBA\xD1\x82\xD0\xBD\xD0\xBE\xD0\xB9 \xD1\x81\xD0\xB8\xD1\x81\xD1\x82\xD0\xB5\xD0\xBC\xD1\x8B/title=\xD0\x97\xD0\xB0\xD0\xBC\xD0\xB5\xD1\x81\xD1\x82\xD0\xB8\xD1\x82\xD0\xB5\xD0\xBB\xD1\x8C \xD0\xBD\xD0\xB0\xD1\x87\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xB8\xD0\xBA\xD0\xB0 \xD0\xA3\xD0\xBF\xD1\x80\xD0\xB0\xD0\xB2\xD0\xBB\xD0\xB5\xD0\xBD\xD0\xB8\xD1\x8F/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
issuer=/emailAddress=uc_fk@roskazna.ru/ST=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/INN=007710568760/OGRN=1047797019830/street=\xD0\x91\xD0\xBE\xD0\xBB\xD1\x8C\xD1\x88\xD0\xBE\xD0\xB9 \xD0\x97\xD0\xBB\xD0\xB0\xD1\x82\xD0\xBE\xD1\x83\xD1\x81\xD1\x82\xD0\xB8\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB8\xD0\xB9 \xD0\xBF\xD0\xB5\xD1\x80\xD0\xB5\xD1\x83\xD0\xBB\xD0\xBE\xD0\xBA, \xD0\xB4. 6, \xD1\x81\xD1\x82\xD1\x80\xD0\xBE\xD0\xB5\xD0\xBD\xD0\xB8\xD0\xB5 1/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/C=RU/O=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE/CN=\xD0\xA4\xD0\xB5\xD0\xB4\xD0\xB5\xD1\x80\xD0\xB0\xD0\xBB\xD1\x8C\xD0\xBD\xD0\xBE\xD0\xB5 \xD0\xBA\xD0\xB0\xD0\xB7\xD0\xBD\xD0\xB0\xD1\x87\xD0\xB5\xD0\xB9\xD1\x81\xD1\x82\xD0\xB2\xD0\xBE
---
No client certificate CA names sent
---
SSL handshake has read 5814 bytes and written 401 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : GOST2012-GOST8912-GOST8912
Session-ID: 4CC927C65EA6A18EFCD75FC547FF3C4D5AF9424515CFE8155D8421E19E6D3BA1
Session-ID-ctx:
Master-Key: 261610951BBEC4E2DE08A6EAAF3F7506491419F09702C7A85C2306865EAAEA1B18548CDF0D6CD8B17D323F6BD3C501D7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1800 (seconds)
TLS session ticket:
0000 - 2a ff 6e e3 05 57 97 08-a0 c6 61 af 7d 99 82 13 *.n..W....a.}...
0010 - 06 75 c7 0c fa 0e cd fd-0e eb 52 b5 63 41 9b d9 .u........R.cA..
0020 - c0 ec f6 24 4e 59 64 85-92 77 2b 4e 2f a0 d8 f6 ...$NYd..w+N/...
0030 - 0f a1 dd a0 d4 93 73 a9-eb 25 94 1f 2e 9f 2b dd ......s..%....+.
0040 - dd 7a d6 54 92 cf 62 1d-c9 be c3 60 1c 78 5b 8a .z.T..b....`.x[.
0050 - 13 ab 89 08 36 60 f9 9e-e3 c1 c9 cd 0f 67 9b 3b ....6`.......g.;
0060 - d0 53 b2 53 f4 46 46 87-e9 c3 96 7f c0 43 18 10 .S.S.FF......C..
0070 - 7f a4 da 93 77 ee 67 66-7b 55 da 16 e6 89 eb 2d ....w.gf{U.....-
0080 - 75 35 5a c5 bc 12 fc 54-8f 45 9b a2 42 ca 76 dd u5Z....T.E..B.v.
0090 - fe 40 dd 77 13 03 1d a7-fd 80 82 fa 16 52 da 48 .@.w.........R.H
00a0 - 49 58 10 b8 e6 93 63 fc-dc ff 4a 41 47 7d 5d bb IX....c...JAG}].
00b0 - 36 e1 0b 74 24 dc 2c f5-be 28 34 3f e5 07 00 57 6..t$.,..(4?...W
Start Time: 1574163455
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
May be thats why portal.rosreestr.ru:4455
uses TLSv1.2
If i use :dev
tag I have the same output
$ curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
* Trying 217.77.104.130...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, decode error (562):
* error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
* Closing connection 0
curl: (35) error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
AND
$ openssl s_client -connect portal.rosreestr.ru:4455
CONNECTED(00000003)
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify return:1
depth=1 OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
verify return:1
depth=0 OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
verify return:1
139634882264704:error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error:ssl/record/rec_layer_s3.c:1588:SSL alert number 50
---
Certificate chain
0 s:OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
i:OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
1 s:OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
i:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
2 s:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
i:emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIYjCCCA+gAwIBAgIQdwGwesQM0YbpER4mlTFvQjAKBggqhQMHAQEDAjCCAVEx
GDAWBgUqhQNkARINMTAyNzcwMDQ4NTc1NzEaMBgGCCqFAwOBAwEBEgwwMDc3MDU0
MDEzNDAxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxFTAT
BgNVBAcMDNCc0L7RgdC60LLQsDFHMEUGA1UECQw+0L/QtdGA0LXRg9C70L7QuiDQ
ntGA0LvQuNC60L7Qsiwg0LTQvtC8IDEwLCDRgdGC0YDQvtC10L3QuNC1IDExMDAu
BgNVBAsMJ9Cj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgDEv
MC0GA1UECgwm0KTQk9CR0KMgItCk0JrQnyDQoNC+0YHRgNC10LXRgdGC0YDQsCIx
LzAtBgNVBAMMJtCk0JPQkdCjICLQpNCa0J8g0KDQvtGB0YDQtdC10YHRgtGA0LAi
MB4XDTE5MDIwMTEyMjgyM1oXDTIwMDUwMTEyMjgyM1owggEJMRgwFgYFKoUDZAES
DTEwNDc3OTY5NDA0NjUxGjAYBggqhQMDgQMBARIMMDA3NzA2NTYwNTM2MTMwMQYD
VQQJDCrRg9C7LiDQktC+0YDQvtC90YbQvtCy0L4g0J/QvtC70LUsINC0LiA00JAx
FTATBgNVBAcMDNCc0L7RgdC60LLQsDEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCw
MQswCQYDVQQGEwJSVTEkMCIGCSqGSIb3DQEJARYVMDBfT1pJTDFAcm9zcmVlc3Ry
LnJ1MRswGQYDVQQKDBLQoNC+0YHRgNC10LXRgdGC0YAxGzAZBgNVBAMMEtCg0L7R
gdGA0LXQtdGB0YLRgDBoMCEGCCqFAwcBAQEBMBUGCSqFAwcBAgEBAQYIKoUDBwEB
AgIDQwAEQMofcnX99LccMrE/8BK8dlTEYkKjUf8c2Wj369d2Ewhwr4wn+5gTqMIT
Gkd/9fsexJnF2KSqy8KZdc/Y3KnDKYujggT8MIIE+DAOBgNVHQ8BAf8EBAMCA/gw
HQYDVR0OBBYEFAs/j7paw54fKod0PWJd6ijvswnXMIIBXwYDVR0jBIIBVjCCAVKA
FIG1Bek3vXBRhBCWIYAuB5IBuflJoYIBLKSCASgwggEkMR4wHAYJKoZIhvcNAQkB
Fg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+
0YHQutCy0LAxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxLjAsBgNVBAkMJdGD
0LvQuNGG0LAg0KLQstC10YDRgdC60LDRjywg0LTQvtC8IDcxLDAqBgNVBAoMI9Cc
0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MRgwFgYFKoUDZAESDTEw
NDc3MDIwMjY3MDExGjAYBggqhQMDgQMBARIMMDA3NzEwNDc0Mzc1MSwwKgYDVQQD
DCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuIIKF5yzqQAAAAAA
mzBFBgNVHSUEPjA8BggrBgEFBQcDAgYIKwYBBQUHAwQGByqFAwICIgYGCSqFAwUB
GAICBQYIKwYBBQUHAwEGCCqFAwJAAQEBMB0GA1UdIAQWMBQwCAYGKoUDZHEBMAgG
BiqFA2RxAjBGBgNVHREEPzA9pCYwJDEiMCAGCSqGSIb3DQEJCAwT0JLQtdCxLdGB
0LXRgNCy0LjRgYITcG9ydGFsLnJvc3JlZXN0ci5ydTArBgNVHRAEJDAigA8yMDE5
MDIwMTEyMjgyM1qBDzIwMjAwNTAxMTIyODIzWjCCAb4GBSqFA2RwBIIBszCCAa8M
UNCh0JrQl9CYICLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiDQstC10YDRgdC40Y8g
NC4wICjQuNGB0L/QvtC70L3QtdC90LjQtSAyLUJhc2UpDIG4ItCf0YDQvtCz0YDQ
sNC80LzQvdC+LdCw0L/Qv9Cw0YDQsNGC0L3Ri9C5INC60L7QvNC/0LvQtdC60YEg
ItCj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgCAi0JrRgNC4
0L/RgtC+0J/RgNC+INCj0KYiINCy0LXRgNGB0LjQuCAyLjAiICjQstCw0YDQuNCw
0L3RgiDQuNGB0L/QvtC70L3QtdC90LjRjyA1KQxP0KHQtdGA0YLQuNGE0LjQutCw
0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGPIOKEliDQodCkLzEyNC0zNTcwINC+
0YIgMTQuMTIuMjAxOAxP0KHQtdGA0YLQuNGE0LjQutCw0YIg0YHQvtC+0YLQstC1
0YLRgdGC0LLQuNGPIOKEliDQodCkLzEyOC0yOTgzINC+0YIgMTguMTEuMjAxNjA/
BgUqhQNkbwQ2DDTQodCa0JfQmCAi0JrRgNC40L/RgtC+0J/RgNC+IENTUCIgKNCy
0LXRgNGB0LjRjyA0LjApMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly91Yy5rYWRh
c3RyLnJ1L3Jldm9rZS9pbmRleC9yZXZva2VkNC5jcmwwRQYIKwYBBQUHAQEEOTA3
MDUGCCsGAQUFBzAChilodHRwOi8vdWMua2FkYXN0ci5ydS9yb290L2luZGV4L3Jv
b3Q0LmNlcjAKBggqhQMHAQEDAgNBAOTI8jLgDKKRoTmv1VSbvqgrkwdkWcVGds5y
HXsU/FydN2JPt5ZoQoMRjTmyNw0HXN5usPyreF0u9VZRWIV1yUI=
-----END CERTIFICATE-----
subject=OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
issuer=OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
---
Acceptable client certificate CA names
OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
emailAddress = dit@minsvyaz.ru, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\B3. \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D1\83\D0\BB\D0\B8\D1\86\D0\B0 \D0\A2\D0\B2\D0\B5\D1\80\D1\81\D0\BA\D0\B0\D1\8F, \D0\B4\D0\BE\D0\BC 7", O = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, OGRN = 1047702026701, INN = 007710474375, CN = \D0\9C\D0\B8\D0\BD\D0\BA\D0\BE\D0\BC\D1\81\D0\B2\D1\8F\D0\B7\D1\8C \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
Client Certificate Types: GOST01 Sign, UNKNOWN (238),, UNKNOWN (239),
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:gost2001+md_gost94:gost2012_256+md_gost12_256:gost2012_512+md_gost12_512
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:gost2001+md_gost94:gost2012_256+md_gost12_256:gost2012_512+md_gost12_512
---
SSL handshake has read 6209 bytes and written 550 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.0, Cipher is GOST2012-GOST8912-GOST8912
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : GOST2012-GOST8912-GOST8912
Session-ID:
Session-ID-ctx:
Master-Key: D1E7A5E3D0D6AF33850343FB062942C1C896671782464F282597161E8963409B443336608B502018DB01DFC535595158
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1574164010
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: no
---
I ve revrite gost-engine and rebuild it ofr tls v1.2 support you can see it in gpsha20777/openssl-gost:dev image all working fine
@gosha20777 I run command on your image
docker run --rm gosha20777/openssl-gost:dev curl https://portal.rosreestr.ru:4455 -k -v
and got the same error
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 217.77.104.130:4455...
* TCP_NODELAY set
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [64 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2160 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [682 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [171 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS alert, decode error (562):
{ [2 bytes data]
* error:1400041A:SSL routines::tlsv1 alert decode error
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (35) error:1400041A:SSL routines::tlsv1 alert decode error
What do you mean "all working fine"?
@rnixik it is very strange site. Sometimes it works, but sometimes not. I am was update nginx and opensssl to the latest version. This site have some problems. But when it works it works only on my version of openssl-gost. I dont know why.
it was yesterday at 9pm
root@dbbc7f1a4ad9:/c/workspace# curl https://portal.rosreestr.ru:4455 -k -v --key key.pem --cert cert.pem
* Trying 217.77.104.130:4455...
* TCP_NODELAY set
* Connected to portal.rosreestr.ru (217.77.104.130) port 4455 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / GOST2012-GOST8912-GOST8912
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: OGRN=1047796940465; INN=007706560536; street=\U0443\U043B. \U0412\U043E\U0440\U043E\U043D\U0446\U043E\U0432\U043E \U041F\U043E\U043B\U0435, \U0434. 4\U0410; L=\U041C\U043E\U0441\U043A\U0432\U0430; ST=77 \U041C\U043E\U0441\U043A\U0432\U0430; C=RU; emailAddress=00_OZIL1@rosreestr.ru; O=\U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440; CN=\U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440
* start date: Feb 1 12:28:23 2019 GMT
* expire date: May 1 12:28:23 2020 GMT
* issuer: OGRN=1027700485757; INN=007705401340; C=RU; ST=77 \U041C\U043E\U0441\U043A\U0432\U0430; L=\U041C\U043E\U0441\U043A\U0432\U0430; street=\U043F\U0435\U0440\U0435\U0443\U043B\U043E\U043A \U041E\U0440\U043B\U0438\U043A\U043E\U0432, \U0434\U043E\U043C 10, \U0441\U0442\U0440\U043E\U0435\U043D\U0438\U0435 1; OU=\U0423\U0434\U043E\U0441\U0442\U043E\U0432\U0435\U0440\U044F\U044E\U0449\U0438\U0439 \U0446\U0435\U043D\U0442\U0440; O=\U0424\U0413\U0411\U0423 "\U0424\U041A\U041F \U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440\U0430"; CN=\U0424\U0413\U0411\U0423 "\U0424\U041A\U041F \U0420\U043E\U0441\U0440\U0435\U0435\U0441\U0442\U0440\U0430"
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: portal.rosreestr.ru:4455
> User-Agent: curl/7.67.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.2
< Date: Tue, 19 Nov 2019 13:27:52 GMT
< Content-Type: text/html
< Content-Length: 612
< Last-Modified: Fri, 08 Feb 2019 18:42:37 GMT
< Connection: keep-alive
< ETag: "5c5dcd9d-264"
< Accept-Ranges: bytes
<
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
* Connection #0 to host portal.rosreestr.ru left intact
Anyway, I've updated versions of libs and pushed new image. Error 'unsupported parameter set' is gone. Now we have
curl: (35) error:1409441A:SSL routines:ssl3_read_bytes:tlsv1 alert decode error
for https://portal.rosreestr.ru:4455 and currently I don't know how to solve it. Is it working with any other applications?
@rnixik yes it works with other sites. But with this site it work SOMETIMES. I dont know why... I think that the problem in this site...
Can you also update nginx? to 1.17+ and openssl to 1.1.1d?
look at here https://github.com/gosha20777/openssl-gost/blob/master/nginx-gost/Dockerfile
I am not sure that I have done everything currect... But it works in some apps.
I think that may be I need copy gost.so and costdum gostum.1.1 etc to some dir..
Hi everyone! I have same problem. I found something:
Host portal.rosreestr.ru:4455 has certificate rosreestr.pem. In openssl with gost engine this certificate throws same error when openssl trying decode public key of certificate. Command:
> openssl x509 -noout -text -in rosreestr.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:01:b0:7a:c4:0c:d1:86:e9:11:1e:26:95:31:6f:42
Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
Issuer: OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
Validity
Not Before: Feb 1 12:28:23 2019 GMT
Not After : May 1 12:28:23 2020 GMT
Subject: OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
Subject Public Key Info:
Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
Unable to load Public Key
140336769119296:error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set:/usr/local/src/gost/gost-engine/engine/gost_ec_sign.c:82:
140336769119296:error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error:../crypto/x509/x_pubkey.c:125:
...
However CryptoPro CSP parse public key from portal.rosreestr.ru:4455 successfully (example in IE).
I know another gost host with same connection parameters: services.technokad.ru:443 but which connecting with no errors.
With web tool http://gostcrypto.com/demo-cp-keys.html I parsed certificates (rosreestr.pem and technokad.pem) from both hosts and saw different elliptical curves settings.
technokad.pem
...
subjectPublicKeyInfo: {
algorithm: {
name: "GOST R 34.10-256",
id: "id-tc26-gost3410-12-256",
namedCurve: "X-256-A"
},
...
rosreestr.pem
...
subjectPublicKeyInfo: {
algorithm: {
name: "GOST R 34.10-256",
id: "id-tc26-gost3410-12-256",
namedCurve: "T-256-A"
},
...
It seems that openssl simple not supporting curve with code T-256-A. What is this curve? Do you have success with your problem? Thanks.
rosreestr.pem from portal.rosreestr.ru:4455
-----BEGIN CERTIFICATE-----
MIIIYjCCCA+gAwIBAgIQdwGwesQM0YbpER4mlTFvQjAKBggqhQMHAQEDAjCCAVEx
GDAWBgUqhQNkARINMTAyNzcwMDQ4NTc1NzEaMBgGCCqFAwOBAwEBEgwwMDc3MDU0
MDEzNDAxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxFTAT
BgNVBAcMDNCc0L7RgdC60LLQsDFHMEUGA1UECQw+0L/QtdGA0LXRg9C70L7QuiDQ
ntGA0LvQuNC60L7Qsiwg0LTQvtC8IDEwLCDRgdGC0YDQvtC10L3QuNC1IDExMDAu
BgNVBAsMJ9Cj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgDEv
MC0GA1UECgwm0KTQk9CR0KMgItCk0JrQnyDQoNC+0YHRgNC10LXRgdGC0YDQsCIx
LzAtBgNVBAMMJtCk0JPQkdCjICLQpNCa0J8g0KDQvtGB0YDQtdC10YHRgtGA0LAi
MB4XDTE5MDIwMTEyMjgyM1oXDTIwMDUwMTEyMjgyM1owggEJMRgwFgYFKoUDZAES
DTEwNDc3OTY5NDA0NjUxGjAYBggqhQMDgQMBARIMMDA3NzA2NTYwNTM2MTMwMQYD
VQQJDCrRg9C7LiDQktC+0YDQvtC90YbQvtCy0L4g0J/QvtC70LUsINC0LiA00JAx
FTATBgNVBAcMDNCc0L7RgdC60LLQsDEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCw
MQswCQYDVQQGEwJSVTEkMCIGCSqGSIb3DQEJARYVMDBfT1pJTDFAcm9zcmVlc3Ry
LnJ1MRswGQYDVQQKDBLQoNC+0YHRgNC10LXRgdGC0YAxGzAZBgNVBAMMEtCg0L7R
gdGA0LXQtdGB0YLRgDBoMCEGCCqFAwcBAQEBMBUGCSqFAwcBAgEBAQYIKoUDBwEB
AgIDQwAEQMofcnX99LccMrE/8BK8dlTEYkKjUf8c2Wj369d2Ewhwr4wn+5gTqMIT
Gkd/9fsexJnF2KSqy8KZdc/Y3KnDKYujggT8MIIE+DAOBgNVHQ8BAf8EBAMCA/gw
HQYDVR0OBBYEFAs/j7paw54fKod0PWJd6ijvswnXMIIBXwYDVR0jBIIBVjCCAVKA
FIG1Bek3vXBRhBCWIYAuB5IBuflJoYIBLKSCASgwggEkMR4wHAYJKoZIhvcNAQkB
Fg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJVMRgwFgYDVQQIDA83NyDQnNC+
0YHQutCy0LAxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxLjAsBgNVBAkMJdGD
0LvQuNGG0LAg0KLQstC10YDRgdC60LDRjywg0LTQvtC8IDcxLDAqBgNVBAoMI9Cc
0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MRgwFgYFKoUDZAESDTEw
NDc3MDIwMjY3MDExGjAYBggqhQMDgQMBARIMMDA3NzEwNDc0Mzc1MSwwKgYDVQQD
DCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuIIKF5yzqQAAAAAA
mzBFBgNVHSUEPjA8BggrBgEFBQcDAgYIKwYBBQUHAwQGByqFAwICIgYGCSqFAwUB
GAICBQYIKwYBBQUHAwEGCCqFAwJAAQEBMB0GA1UdIAQWMBQwCAYGKoUDZHEBMAgG
BiqFA2RxAjBGBgNVHREEPzA9pCYwJDEiMCAGCSqGSIb3DQEJCAwT0JLQtdCxLdGB
0LXRgNCy0LjRgYITcG9ydGFsLnJvc3JlZXN0ci5ydTArBgNVHRAEJDAigA8yMDE5
MDIwMTEyMjgyM1qBDzIwMjAwNTAxMTIyODIzWjCCAb4GBSqFA2RwBIIBszCCAa8M
UNCh0JrQl9CYICLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiDQstC10YDRgdC40Y8g
NC4wICjQuNGB0L/QvtC70L3QtdC90LjQtSAyLUJhc2UpDIG4ItCf0YDQvtCz0YDQ
sNC80LzQvdC+LdCw0L/Qv9Cw0YDQsNGC0L3Ri9C5INC60L7QvNC/0LvQtdC60YEg
ItCj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgCAi0JrRgNC4
0L/RgtC+0J/RgNC+INCj0KYiINCy0LXRgNGB0LjQuCAyLjAiICjQstCw0YDQuNCw
0L3RgiDQuNGB0L/QvtC70L3QtdC90LjRjyA1KQxP0KHQtdGA0YLQuNGE0LjQutCw
0YIg0YHQvtC+0YLQstC10YLRgdGC0LLQuNGPIOKEliDQodCkLzEyNC0zNTcwINC+
0YIgMTQuMTIuMjAxOAxP0KHQtdGA0YLQuNGE0LjQutCw0YIg0YHQvtC+0YLQstC1
0YLRgdGC0LLQuNGPIOKEliDQodCkLzEyOC0yOTgzINC+0YIgMTguMTEuMjAxNjA/
BgUqhQNkbwQ2DDTQodCa0JfQmCAi0JrRgNC40L/RgtC+0J/RgNC+IENTUCIgKNCy
0LXRgNGB0LjRjyA0LjApMD8GA1UdHwQ4MDYwNKAyoDCGLmh0dHA6Ly91Yy5rYWRh
c3RyLnJ1L3Jldm9rZS9pbmRleC9yZXZva2VkNC5jcmwwRQYIKwYBBQUHAQEEOTA3
MDUGCCsGAQUFBzAChilodHRwOi8vdWMua2FkYXN0ci5ydS9yb290L2luZGV4L3Jv
b3Q0LmNlcjAKBggqhQMHAQEDAgNBAOTI8jLgDKKRoTmv1VSbvqgrkwdkWcVGds5y
HXsU/FydN2JPt5ZoQoMRjTmyNw0HXN5usPyreF0u9VZRWIV1yUI=
-----END CERTIFICATE-----
technokad.pem from services.technokad.ru:443
-----BEGIN CERTIFICATE-----
MIIJYzCCCRCgAwIBAgIRAu3vzACoquKASMEkjMqHBiowCgYIKoUDBwEBAwIwggHA
MRYwFAYFKoUDZAMSCzEzNDM1NjIwMDMzMRkwFwYDVQQEDBDQo9GH0LjQu9C40YXQ
uNC9MSgwJgYDVQQqDB/QndC40LrQvtC70LDQuSDQntC70LXQs9C+0LLQuNGHMR4w
HAYJKoZIhvcNAQkBFg91Y0B0ZWNobm9rYWQucnUxGDAWBgUqhQNkARINMTA0NTAw
MjAwNzk4NDEaMBgGCCqFAwOBAwEBEgwwMDUwMDkwNDYzMTIxCzAJBgNVBAYTAlJV
MRwwGgYDVQQIDBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQ
utCy0LAxTzBNBgNVBAkMRtCf0LDQstC10LvQtdGG0LrQsNGPINC90LDQsS4sINC0
LiA4LCDRgdGC0YAuIDbQkCwg0L7RhNC40YEg4oSWIDYwMS02MDIxMDAuBgNVBAsM
J9Cj0LTQvtGB0YLQvtCy0LXRgNGP0Y7RidC40Lkg0YbQtdC90YLRgDEiMCAGA1UE
CgwZ0J7QntCeICLQotC10YXQvdC+0JrQsNC0IjEiMCAGA1UEAwwZ0J7QntCeICLQ
otC10YXQvdC+0JrQsNC0IjAeFw0xOTA4MTMxMjE2MDlaFw0yMDA4MTMxMjI2MDla
MIIB+jEWMBQGBSqFA2QDEgsxMzc1MjUyMjE1MjEaMBgGCCqFAwOBAwEBEgwwMDUw
MDkwNDYzMTIxGDAWBgUqhQNkARINMTA0NTAwMjAwNzk4NDEyMDAGA1UECQwp0YPQ
uy4g0JzQuNC90YHQutCw0Y8gINC0LiAx0JMg0LrQvtGA0L8uIDExJDAiBgkqhkiG
9w0BCQEWFXJlZ2lzdGVyQHRlY2hub2thZC5ydTELMAkGA1UEBhMCUlUxHDAaBgNV
BAgMEzc3INCzLiDQnNC+0YHQutCy0LAxFTATBgNVBAcMDNCc0L7RgdC60LLQsDEi
MCAGA1UECgwZ0J7QntCeICLQotC10YXQvdC+0JrQsNC0IjE2MDQGA1UEDAwt0KDR
g9C60L7QstC+0LTQuNGC0LXQu9GMINGD0L/RgNCw0LLQu9C10L3QuNGPMUUwQwYD
VQQLDDzQo9C/0YDQsNCy0LvQtdC90LjQtSDQv9C+INGA0LDQsdC+0YLQtSDRgSDQ
utC70LjQtdC90YLQsNC80LgxLDAqBgNVBCoMI9CQ0LvRjNCx0LXRgNGCINCg0LDR
hNC60LDRgtC+0LLQuNGHMRkwFwYDVQQEDBDQl9GD0LHQsNC40YDQvtCyMSIwIAYD
VQQDDBnQntCe0J4gItCi0LXRhdC90L7QmtCw0LQiMGYwHwYIKoUDBwEBAQEwEwYH
KoUDAgIkAAYIKoUDBwEBAgIDQwAEQFOCj0E3tWbY/aoaPy06kViDKL8v3kl8Ptg5
CPqqwbGc0XwJjT436dLGaMkfp09IcT3UqDvRCreBW+KRQoeZABejggSeMIIEmjAO
BgNVHQ8BAf8EBAMCBDAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFI5W
y1G2+BFLdiBXxGNMJUwa0FgCMBkGA1UdEQQSMBCCDioudGVjaG5va2FkLnJ1MDYG
BSqFA2RvBC0MKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGP
IDQuMCkwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDATBPBggrBgEFBQcBAQRD
MEEwPwYIKwYBBQUHMAKGM2h0dHA6Ly93d3cudGVjaG5va2FkLnJ1L2F0dGFjaGVz
L3VjL3VjdGVjaG5va2FkLnA3YjATBgNVHSAEDDAKMAgGBiqFA2RxATCCATMGBSqF
A2RwBIIBKDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQ
uNGPIDQuMCkMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC
0YAgItCa0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMi4wDE9D
0LXRgNGC0LjRhNC40LrQsNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYg
INCh0KQvMTI0LTMzODEg0L7RgiAxMS4wNS4yMDE4DE9D0LXRgNGC0LjRhNC40LrQ
sNGCINGB0L7QvtGC0LLQtdGC0YHRgtCy0LjRjyDihJYgINCh0KQvMTI4LTM1OTMg
0L7RgiAxNy4xMC4yMDE4MIG2BgNVHR8Ega4wgaswTaBLoEmGR2h0dHA6Ly91Yy50
ZWNobm9rYWQucnUvY2RwL2IwYTMyODcxNDkzOWQ3MTc0ODZlNDVmNWFmZjg4MmM0
YmM1NGFmZmYuY3JsMFqgWKBWhlRodHRwOi8vd3d3LnRlY2hub2thZC5ydS9hdHRh
Y2hlcy91Yy9jZHAvYjBhMzI4NzE0OTM5ZDcxNzQ4NmU0NWY1YWZmODgyYzRiYzU0
YWZmZi5jcmwwggFfBgNVHSMEggFWMIIBUoAUsKMocUk51xdIbkX1r/iCxLxUr/+h
ggEspIIBKDCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkG
A1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMu
INCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQ
sNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQ
oNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOB
AwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C3
0Ywg0KDQvtGB0YHQuNC4ggoL5ff5AAAAAAHVMCsGA1UdEAQkMCKADzIwMTkwODEz
MTIxNjA5WoEPMjAyMDA4MTMxMjE2MDlaMAoGCCqFAwcBAQMCA0EAjUnyBsxxbWP9
LTooxYEJlRUu+BZTQ6axsp1Qk9FQTsVZY/e1z690a60uyj/kF1rvpFt37lji82Gc
wRKCuBgTEg==
-----END CERTIFICATE-----
@zubosem Great examples! Could you create the issue in the gost-engine https://github.com/gost-engine/engine/issues with your observations please?
Ok. Good idea. I already did it https://github.com/gost-engine/engine/issues/188
@zubosem I thought you've worked with the latest version of image. I checked and it is working:
docker pull rnix/openssl-gost && docker run --rm -i -t -v `pwd`:`pwd` -w `pwd` rnix/openssl-gost openssl x509 -noout -text -in rosreestr.pem
Result:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
77:01:b0:7a:c4:0c:d1:86:e9:11:1e:26:95:31:6f:42
Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
Issuer: OGRN = 1027700485757, INN = 007705401340, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\BF\D0\B5\D1\80\D0\B5\D1\83\D0\BB\D0\BE\D0\BA \D0\9E\D1\80\D0\BB\D0\B8\D0\BA\D0\BE\D0\B2, \D0\B4\D0\BE\D0\BC 10, \D1\81\D1\82\D1\80\D0\BE\D0\B5\D0\BD\D0\B8\D0\B5 1", OU = \D0\A3\D0\B4\D0\BE\D1\81\D1\82\D0\BE\D0\B2\D0\B5\D1\80\D1\8F\D1\8E\D1\89\D0\B8\D0\B9 \D1\86\D0\B5\D0\BD\D1\82\D1\80, O = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\", CN = \D0\A4\D0\93\D0\91\D0\A3 \"\D0\A4\D0\9A\D0\9F \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80\D0\B0\"
Validity
Not Before: Feb 1 12:28:23 2019 GMT
Not After : May 1 12:28:23 2020 GMT
Subject: OGRN = 1047796940465, INN = 007706560536, street = "\D1\83\D0\BB. \D0\92\D0\BE\D1\80\D0\BE\D0\BD\D1\86\D0\BE\D0\B2\D0\BE \D0\9F\D0\BE\D0\BB\D0\B5, \D0\B4. 4\D0\90", L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, C = RU, emailAddress = 00_OZIL1@rosreestr.ru, O = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80, CN = \D0\A0\D0\BE\D1\81\D1\80\D0\B5\D0\B5\D1\81\D1\82\D1\80
Subject Public Key Info:
Public Key Algorithm: GOST R 34.10-2012 with 256 bit modulus
Public key:
X:70081376D7EBF768D91CFF51A34262C45476BC12F03FB1321CB7F4FD75721FCA
Y:8B29C3A9DCD8CF7599C2CBAAA4D8C599C41EFBF57F471A13C2A81398FB278CAF
Parameter set: GOST R 34.10-2012 (256 bit) ParamSet A
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Subject Key Identifier:
0B:3F:8F:BA:5A:C3:9E:1F:2A:87:74:3D:62:5D:EA:28:EF:B3:09:D7
X509v3 Authority Key Identifier:
keyid:81:B5:05:E9:37:BD:70:51:84:10:96:21:80:2E:07:92:01:B9:F9:49
DirName:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0
serial:17:9C:B3:A9:00:00:00:00:00:9B
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, 1.2.643.2.2.34.6, 1.2.643.5.1.24.2.2.5, TLS Web Server Authentication, 1.2.643.2.64.1.1.1
X509v3 Certificate Policies:
Policy: 1.2.643.100.113.1
Policy: 1.2.643.100.113.2
X509v3 Subject Alternative Name:
DirName:/unstructuredAddress=\xD0\x92\xD0\xB5\xD0\xB1-\xD1\x81\xD0\xB5\xD1\x80\xD0\xB2\xD0\xB8\xD1\x81, DNS:portal.rosreestr.ru
X509v3 Private Key Usage Period:
Not Before: Feb 1 12:28:23 2019 GMT, Not After: May 1 12:28:23 2020 GMT
Signing Tool of Issuer:
0....P........ ".................. CSP" ............ 4.0 (.................... 2-Base)..."....................-.................... ................ "............................ .......... ".................. ...." ............ 2.0" (.............. .................... 5).O.................... ........................ ... ..../124-3570 .... 14.12.2018.O.................... ........................ ... ..../128-2983 .... 18.11.2016
Signing Tool of Subject:
.4........ ".................. CSP" (............ 4.0)
X509v3 CRL Distribution Points:
Full Name:
URI:http://uc.kadastr.ru/revoke/index/revoked4.crl
Authority Information Access:
CA Issuers - URI:http://uc.kadastr.ru/root/index/root4.cer
Signature Algorithm: GOST R 34.10-2012 with GOST R 34.11-2012 (256 bit)
e4:c8:f2:32:e0:0c:a2:91:a1:39:af:d5:54:9b:be:a8:2b:93:
07:64:59:c5:46:76:ce:72:1d:7b:14:fc:5c:9d:37:62:4f:b7:
96:68:42:83:11:8d:39:b2:37:0d:07:5c:de:6e:b0:fc:ab:78:
5d:2e:f5:56:51:58:85:75:c9:42
Hmm... It is master (not 1_1_0) branch of gost engine in image?
Yes. It is. This commit is the latest in the image https://github.com/gost-engine/engine/commit/58a46b289d6b8df06072fc9c0304f4b2d3f4b051
Yea! Build from master branch is worked. Thanks!
OK, original issue 'FILL_GOST_EC_PARAMS:unsupported parameter set' is resolved with update of OpenSSL and GOST Engine: docker pull rnix/openssl-gost
.
@rnixik can you run commands in your docker image and check results?
> openssl s_client -cert your_certificate.pem -key your_private.key -CAfile your_cabundle.crt -connect portal.rosreestr.ru:4455 -state -debug
> curl -v -k https://portal.rosreestr.ru:4455 --cert your_certificate.pem --key your_private.key
@zubosem I don't have your_*
files.
Do you have own items? Can you trying with yours certificate and private key? Thanks
No, I can't. I don't have any private keys with GOST.
hi gays! Yep all works fine, but what about nginx?
I couldn’t get it to work. although I compiled it with the latest version of gost engine and openssl. as a result, I solved the problem like this: wrote a python server that simply calls curl with the necessary parameters. everything works pretty well, but I still don’t understand what to do with the nginx server. I'm interested in trying it ...
link to my nginx version https://github.com/gosha20777/openssl-gost/tree/master/nginx-gost link to my python curl-based server https://github.com/gosha20777/openssl-gost/tree/master/python-gost
@gosha20777 This is working example https://github.com/rnixik/docker-openssl-gost/blob/master/nginx-gost/Dockerfile Try it again.
Hello, calling curl from a contaimer,
curl -d "param1=value1¶m2=value2" -X POST host_here Getting this error: curl: (35) error:8006607F:lib(128):FILL_GOST_EC_PARAMS:unsupported parameter set
Also, it worked a couple of days ago.